Wordfence Protection from Plugin Vulnerabilities

Hey @jimario,

This is indeed a known vulnerability that we’ve shared with the community. You should remove it from all sites that you manage.

We’ll be releasing a firewall rule to protect against it in the free version of the plugin May 10th.

Thanks,

Gerald

• This reply was modified 5 years, 11 months ago by WFGerroald.

Hi @jimario,

Unfortunately no, this plugin included code that would escalate any user to administrative privileges. This means that Wordfence or any other WordPress plugin would see the current user as being an administrator.

Wordfence has quickly added these rules to its firewall, you can read the blog post here.

https://www.wordfence.com/blog/2019/04/zero-day-vulnerability-in-yellow-pencil-visual-theme-customizer-exploited-in-the-wild/

Dave

Thank you. That is very helpful for my understanding.